SS-2013-008: XSS in form validation errors
- Severity:
- Low (?)
- Identifier:
- SS-2013-008
- Versions Affected:
- 3.0.6,3.1.0
- Versions Fixed:
- 3.0.7,3.1.0-rc3
- Release Date:
- 2013-09-24
The CMS allows for user feedback through custom messages generated by form or form field validation. If these messages incorporate user-provided data such as quoting a wrongly formatted value, it can lead to cross-site scripting. Usually validation messages prevent form saving, so the malicious input is usually not persisted, nor accessible for other users. But since Form->sessionMessage() can also be used to pass success messages to the user, this can lead to persisted malicious input in rare cases where stored data is used to compose this message.
Form and form field messages are assumed to be plain text, and escaped by default.
Reported by Vulnerability Laboratory Evolution